How to audit file activity from EMC Celerra and VNX file servers with Change Auditor for EMC

Hi I'm Sean Barker, product manager at Dell Software. Today I'm going to demonstrate how Dell change auditor can audit file activity from EMC Celerra and VNX file servers. Event logging and change reporting from file servers is cumbersome and time consuming using native tools because the volume of data involved and the fact that there's no central console available for you to monitor this activity across your environment.
From here I can group by event type and get a high level picture of all the file related events happening on my EMC servers, including when files and folders are created, deleted, moved, renamed, as well as access rights changing. Let me take a look at a single event here. In this case, it's a file being moved. Every event the Change Auditor captures includes all of the relevant information in one simple readable event. That includes when the change occurred, where the activity took place, on which server, what folder or file was involved in the activity, who accessed the file, including the IP address that they came from.
Also, change auditor gives me the before and the after values, which allows you to more quickly troubleshoot problems. Here's a list of all the recent files that have been accessed. I cam very quickly locate events related to specific users. For example, I see that the user Larry Strewn, here, who is actually a member of our IT administrators' group, recently tried to access a human resources folder. As you can see from the results of the event, that access attempt failed.
What's very powerful about change auditor is that from this one audit event you can very quickly pivot on that user and get a list of all the recent user activity. With a single click, now I can see all the other activity that Larry Strewn has taken on files and folders across the enterprise, as well as activities that aren't related to files. For example all the recent logon sessions, and in fact, the most recent attempt to log on here that failed. With the related search capability, I can very quickly identify all changes made by specific users and groups on my EMC file servers.
All of the Change Auditor audit data is also available in a web client, so I can access this information from anywhere. From the web client, I can take the all EMC events, search, and run this search. Using change auditor's timeline feature, I can quickly plot the results of the search in an interactive timeline where I can drill into specific event types, for example the folder access rights change here, and see a list of recent audit events that match that criteria. From the time lag click on a specific event, and drill right back down to the same details I saw before.
From a compliance and a security perspective, it's very important to keep on top of file access or attempted access to critical files and folders within your environment. I can take a built in search, for example the all EMC events search, and then focus this down on specific files, folders, or users. For example we saw earlier that the user from the IT administrators' group was accessing folders that were not appropriate.
I can create a new search, which only tracks activity for members of the IT admin group. In this case, I'll define a new search called all EMC file access by IT. For the who, I'll actually define all the users that are part of the IT admins' group. I can also specify which servers that I want to monitor this activity on. For example, my critical servers that have financial or HR data.
I can take any search and configure it to be a real time alert, which I can receive via email in my inbox or on my mobile device, or as a scheduled report. In this case I'm going to define it as an alert. That will be sent me by email. Whether you're subject to external compliance regulations or you've got eternal auditors, they're also going to want to keep on top of this information. For example, they may want regular reports on file permission changes, particularly to the critical folders in your environment.
I'll configure a separate search. In this case, I'll call it all EMC file permission changes. For the what in this case, we're specifically targeting file and folder permission changes, so I'll just add these events. Again, I can also specify specific servers. In this case, I'll specify a server that houses our important financial data.
And once the search is defined, just as easily as I can create a real time alert, I can also create a report that's scheduled on a regular basis. For example, I could have this report automatically scheduled, generated, and sent to our auditors every week on Monday.